Dave explains, "There are a lot of civil and criminal issues that could come into play if an untrained person (let's use a sysadmin) was to conduct a forensic examination. For example: The sysadmin identifies user X on their network who is downloading child pornography. The sysadmin show the evidence to his employer, who then transfers the evidence to senior executives. User X is fired on the spot and escorted out of the building. Several issues occur here: Are you sure the files are there? Are you sure you got the right user? How about User Y borrowing User X's machine for a while? As for the emailing of the evidence to people within the company; the sysadmin has just unknowingly committed distribution of said illegal materials over the network and there is a distinct possibility that the wrong user was fired and the corporation will be facing an embarrassing lawsuit.

Another example: The sysadmin identifies a user doing something very unseemly such as threatening another employee via email. However, because the sysadmin is untrained, he contaminates the evidence. Now, someone in law enforcement has to figure out a way around the contaminated data to continue with the investigation."

Computer forensics in the hands of a properly trained investigator can prevent these issues by providing detailed facts regarding the origination of the illegal material and accurate user identification. It can also preserve the digital evidence for use in pressing charges following best practice, court-upheld standards.

There has been an upsurge in the amount of computer forensics experts in the security field. This is especially apparent in the consulting industry. Wondering what the major differences were between a forensics consultant and a law enforcement investigator, I again went to Dave for answers.

"The difference between corporate and law enforcement is the training the individual examiner has received. In my opinion, the Federal Law Enforcement Training Center (FLETC) has the best training anywhere but it's for law enforcement only. I have seen numerous seminars/conferences which charge a good sum of money and give inadequate training."

It's important to note that there are also numerous highly qualified forensics investigators available to assist with critical cases and successfully preserve evidence for trial. There are also several reputable courses taught nationwide through vendors and consultancies that are able to prepare investigators to face complex investigative circumstances.

A word of caution to anyone in need of computer forensics expertise, check references! All reputable forensics firms, including vendors with professional services divisions and independent investigators, should be able to provide a list of customers, and/or references that can bolster their claims. While details of actual cases solved will be highly confidential, the reputation and collective expertise of the investigators should be readily apparent. Past accomplishments, professional organizations, client references and provable experience are crucial to making the proper hire.

Compromising data and utilizing unproven forensic methodology can do much more damage than the crime itself. Choose your investigators with the same common sense that you would use to choose your surgeon.

Dave elaborates, "In my day to day dealings with people, 90% of computer forensics experts have never seen or touched a Unix system. There are a bunch of reasons for this: most due to the lack of official training in this environment. Most experts deal with Windows because it's easier to understand. Taking several courses in a subject does not make a person an expert.

To give you an example of where experts fail with expertise: a federal investigator was told to image a single drive Windows2000 server. Instead of creating a digital image of the physical drive, he converted the file system from Fat 32 to NTFS, then made a logical backup of the drive. By his actions, he had destroyed the original evidence and damaged my case. Standard procedure would have been to boot from a controlled floppy, create a physical image of the drive and send it to another hard drive without writing a thing to the victim drive. I would not term this person an expert by any means, however, his title and rank indicate that he is.

I also know of a government employee who is a self-proclaimed forensic expert. It says as much on his email signature block. This person has never actually conducted an investigation. However, he did take numerous courses on the subject and he has an excellent resume. A classic case of expert vs. expertise.

Spotlight

(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. Learn about personal data bankruptcy and the cost of privacy, security and compliance, delivering digital security to a mobile world, and much more.

As ISPs, hosting providers and online enterprises around the world continue suffering the effects of DDoS attacks, often the discussions that follow are, “What is the best way to defend our networks and our customers against an attack?”

The code redirects visitors to another URL where the Fiesta exploit kit is hosted, which then tries to detect and exploit several vulnerabilities in various software. If it succeeds, the visitors are saddled with a banking Trojan.

Looking for an Android-based tablet for your child but don't know which one to choose? If you are concerned about the device's protection against random hackers, Bluebox Security has just released a review of the nine most popular Android tablet models aimed specifically at children.